WhatsApp struggles to tame reassigned phone number issues

An Axios reader has uncovered a persistent privacy flaw in encrypted messaging service WhatsApp that's proven difficult for the company to squash.

What's happening: Eric — who works in the tech industry but requested we withhold his last name — told Axios he discovered the flaw when his son moved to France for work, got a new SIM card and updated his WhatsApp account with a new phone number.

• When Eric's son did this, his profile picture changed and new messages from random users started to pour in. Eric quickly realized his son had taken over the account of another WhatsApp user who used to have that phone number.
• Eric reported the problem through WhatsApp parent company Meta's bug bounty program. Meta quickly dismissed the report, telling Eric that the issue was a concern but was outside the company's ability to fix.
• A Vice reporter wrote about how he also accidentally hijacked someone else's WhatsApp account three years ago. WhatsApp acknowledges this can happen, although it's extremely rare.

The big picture: Eric's discovery is part of a broader issue with telecom providers quickly reassigning phone numbers after they've been forfeited.

• The Federal Communications Commission currently requires telecom providers to wait at least 45 days before reassigning old numbers. Doing so gives the former owner of the number time to update accounts like WhatsApp.
• However, that process doesn't always go smoothly. In a 2021 Princeton study, 66% of a sample of 259 phone numbers were still connected to accounts belonging to the previous owners.

Between the lines: This was the first time Eric had reported a potential security vulnerability to a tech vendor as an individual — and he found the bug bounty process "decent" since it gives vendors ample time to patch the flaw if they want and still allows researchers to go public if they're ignored.

• "The reality is that it is designed for and works well for researcher-to-researcher teams," Eric told Axios. "That's a lot better than nothing."
• "What we're describing here is really just a bug or a bad design," he added. "It's not the heart of what these programs are all about."

The other side: A WhatsApp spokesperson told Axios this problem happens in "extremely rare circumstances," and the issue stems from mobile operators quickly reassigning old phone numbers after they're forfeiting.

• WhatsApp also deletes accounts after 120 days of inactivity, and if an account is unused for 45 days and then is reactivated on a different device, WhatsApp deletes the account data it stores, like profile pictures.

The intrigue: Eric is going public with his findings so he can raise awareness about the issue with other WhatsApp users.

• "I knew who to go and talk to because I'm in industry," he told Axios. "My son would've had no idea who to contact about this."

Be smart: If you change your phone number, be sure to quickly update any apps tied to it — including WhatsApp, Signal or other messaging apps — to prevent a future, accidental takeover of your account.

Sign up for Axios’ cybersecurity newsletter Codebook here.